<!doctype html>
<html lang="en">
	<head>
		<meta charset="utf-8">
		<meta name="viewport" content="width=device-width, initial-scale=1.0, maximum-scale=1.0, user-scalable=no">

		<title>Reactive Spring Security 5 Workshop</title>
        <meta name="description" content="Reactive Spring Security 5 Workshop">
        <meta name="author" content="Andreas Falk">

		<link rel="stylesheet" href="css/reset.css">
		<link rel="icon" href="images/cropped-novatec-favicon-32x32.png" sizes="32x32" />
        <link rel="icon" href="images/cropped-novatec-favicon-192x192.png" sizes="192x192" />


        <meta name="apple-mobile-web-app-capable" content="yes">
        <meta name="apple-mobile-web-app-status-bar-style" content="black-translucent">

        <meta name="viewport" content="width=device-width, initial-scale=1.0">

        <link rel="stylesheet" href="css/reset.css">
        <link rel="stylesheet" href="css/reveal.css">
		<link rel="stylesheet" href="css/theme/novatec.css">

		<!-- Theme used for syntax highlighting of code -->
		<link rel="stylesheet" href="lib/css/zenburn.css">

		<!-- Printing and PDF exports -->
		<script>
			var link = document.createElement( 'link' );
			link.rel = 'stylesheet';
			link.type = 'text/css';
			link.href = window.location.search.match( /print-pdf/gi ) ? 'css/print/pdf.css' : 'css/print/paper.css';
			document.getElementsByTagName( 'head' )[0].appendChild( link );
		</script>
	</head>
	<body>
		<div class="reveal">
			<div class="slides">

                <!-- Introduction -->
                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h2 style="color: white">Reactive</h2>
                        <h2 style="color: white">Spring Security 5</h2>
                        <h2 style="color: white">Workshop</h2>
                        <p><small><a href="https://andifalk.github.io/reactive-spring-security-5-workshop">https://andifalk.github.io/reactive-spring-security-5-workshop</a></small></p>
                    </section>
                    <section data-background-color="white">
                        <img class="plain" src="images/andreas_falk.jpg" width="40%">
                        <h4>Andreas Falk</h4>
                        <p><strong>Novatec Consulting GmbH</strong></p>
                        <p><small>
                            <a href="https://www.novatec-gmbh.de/">https://www.novatec-gmbh.de</a><br>
                            andreas.falk@novatec-gmbh.de / @andifalk<br>
                        </small></p>
                        <p><img class="plain" src="images/novatec_logo_big.png" width="40%"></p>
                    </section>
                    <section data-background="images/novatec_at_glance.png" data-background-size="80%">
                    </section>
                    <section data-background="images/novatec_challenges.png">
                    </section>
                    <section data-background="images/novatec_title_back.png">
                        <h2 style="color: white">Our Security Offerings</h2>
                        <ul style="color: white;">
                            <li>Security Awareness Trainings</li>
                            <li>Threat Modeling Trainings & Consulting</li>
                            <li>OAuth 2.0 & OpenID Connect 1.0 Trainings & Consulting</li>
                            <li>Spring Security Trainings</li>
                            <li>Security Audits</li>
                        </ul>
                        <p><small><a href="https://www.novatec-gmbh.de/beratung/">https://www.novatec-gmbh.de/beratung/</a></small></p>
                    </section>
                </section>

                <!-- Workshop Intro & Agenda-->

                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h2 style="color: white">The</h2>
                        <h2 style="color: white;">Reactive Spring Security Workshop</h2>
                        <p style="color: white">
                            <small>
                                <a href="https://andifalk.github.io/reactive-spring-security-5-workshop">https://andifalk.github.io/reactive-spring-security-5-workshop</a>
                                <a href="https://github.com/andifalk/reactive-spring-security-5-workshop">https://github.com/andifalk/reactive-spring-security-5-workshop</a>
                            </small>
                        </p>
                    </section>
                    <section data-background="images/novatec_agenda_back.png">
                        <div style="text-align: left; margin-left: -2em; margin-top: 2em">
                            <h3>Part 1</h3>
                            <ol>
                                <li>Introduction to Reactive Programming</li>
                                <li>Spring Security Basics</li>
                                <li>Spring Security Practice (Hands-On) Part 1</li>
                                <ul>
                                    <li>Authentication</li>
                                    <li>Password Security & Upgrades</li>
                                </ul>
                                <li>Lunch-Break</li>
                            </ol>
                        </div>
                    </section>
                    <section data-background="images/novatec_agenda_back.png">
                        <div style="text-align: left; margin-left: -2em; margin-top: 2em">
                            <h3>Part 2</h3>
                            <ol>
                                <li>Spring Security Practice (Hands-On) Part 2</li>
                                <ul>
                                    <li>Authorization</li>
                                    <li>Automated Security Tests</li>
                                </ul>
                                <li>Introduction into OAuth 2.0 and OpenID Connect</li>
                                <li>Spring Security OAuth2/OIDC (Hands-On)</li>
                                <ul>
                                    <li>Resource Server</li>
                                    <li>OIDC Client</li>
                                </ul>
                            </ol>
                        </div>
                    </section>
                    <section data-background="images/novatec_separator_back.png">
                        <h2 style="color: white">In the meantime...</h2>
                        <p style="color: white">Prepare for the hands-on parts:</p>
                        <p style="color: white"><a href="https://github.com/andifalk/reactive-spring-security-5-workshop/tree/master/setup">https://github.com/andifalk/reactive-spring-security-5-workshop/tree/master/setup</a></p>
                    </section>
                </section>

                <!-- Reactive Streams & Programming Intro -->

                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h1 style="color: white">Reactive Systems</h1>
                        <p>&mdash; <a href="https://www.reactivemanifesto.org">reactivemanifesto.org</a></p>
                    </section>
                    <section>
                        <h2>Reactive Systems</h2>
                        <p>&ldquo;[...] we want systems that are Responsive, Resilient, Elastic and Message Driven. We call these Reactive Systems.&rdquo;</p>
                        <p>&mdash; <a href="https://www.reactivemanifesto.org">reactivemanifesto.org</a></p>
                    </section>
                    <section>
                        <h2>Reactive Systems</h2>
                        <h3>- Responsive -</h3>
                        <p>&ldquo;The system responds in a timely manner if at all possible&rdquo;</p>
                    </section>
                    <section>
                        <h2>Reactive Systems</h2>
                        <h3>- Resilient -</h3>
                        <p>&ldquo;The system stays responsive in the face of failure&rdquo;</p>
                    </section>
                    <section>
                        <h2>Reactive Systems</h2>
                        <h3>- Elastic -</h3>
                        <p>&ldquo;The system stays responsive under varying workload&rdquo;</p>
                    </section>
                    <section>
                        <h2>Reactive Systems</h2>
                        <h3>- Message Driven -</h3>
                        <p>&ldquo;Reactive Systems rely on asynchronous message-passing&rdquo;</p>
                    </section>
                    <section>
                        <h2>Reactive Streams</h2>
                        <p>&ldquo;Reactive Streams is an initiative to provide a standard for asynchronous stream processing with non-blocking back pressure..&rdquo;</p>
                        <p>&mdash; <a href="http://www.reactive-streams.org/">reactive-streams.org/</a></p>
                        <img src="images/publishersubscriber_backpressure.png" width="56%">
                    </section>
                    <section>
                        <h2>Reactive Streams</h2>
                        <h3>Implementations</h3>
                        <ul>
                            <li><a href="https://github.com/ReactiveX/RxJava">RxJava</a></li>
                            <li><a href="https://akka.io/">Akka</a></li>
                            <li><a href="https://vertx.io/">Vert.x</a></li>
                            <li><a href="https://projectreactor.io/">Project Reactor</a></li>
                        </ul>
                    </section>
                    <section>
                        <h2>Publisher</h2>
                        <pre><code class="hljs java" data-trim>
                            package org.reactivestreams;

                            public interface Publisher&lt;T&gt; {
                                public void subscribe(Subscriber&lt;? super T&gt; s);
                            }
                        </code></pre>
                    </section>
                    <section>
                        <h2>Subscriber</h2>
                        <pre><code class="hljs java" data-trim>
                            package org.reactivestreams;

                            public interface Subscriber&lt;T&gt; {
                                public void onSubscribe(Subscription s);
                                public void onNext(T t);
                                public void onError(Throwable t);
                                public void onComplete();
                            }

                        </code></pre>
                    </section>
                    <section>
                        <h2>Subscription</h2>
                        <pre><code class="hljs java" data-trim>
                            package org.reactivestreams;

                            public interface Subscription {
                                public void request(long n);
                                public void cancel();
                            }
                        </code></pre>
                    </section>
                    <section>
                        <h2>Processor</h2>
                        <pre><code class="hljs java" data-trim>
                            package org.reactivestreams;

                            public interface Processor&lt;T, R&gt; extends
                                     Subscriber&lt;T&gt;, Publisher&lt;R&gt; {}
                        </code></pre>
                    </section>
                    <section>
                        <h2>Reactive Streams</h2>
                        <h3>Included Since Java 9</h3>
                        <p>java.util.concurrent.Flow.Publisher&lt;T&gt;</p>
                        <p>java.util.concurrent.Flow.Subscriber&lt;T&gt;</p>
                        <p>java.util.concurrent.Flow.Subscription</p>
                        <p>java.util.concurrent.Flow.Processor&lt;T, R&gt;</p>
                    </section>
                    <section data-background="images/novatec_title_back.png">
                        <h1 style="color: white">Project Reactor</h1>
                        <p><a href="https://projectreactor.io/">projectreactor.io</a></p>
                    </section>
                    <section>
                        <h2>Project Reactor</h2>
                        <p>&ldquo;Reactor is a fourth-generation<sup>1</sup> reactive library for building non-blocking applications on
                            the JVM based on the Reactive Streams Specification&rdquo;</p>
                        <p>&mdash; <a href="https://projectreactor.io/">projectreactor.io</a></p>
                        <p><small><a href="https://akarnokd.blogspot.com/2016/03/operator-fusion-part-1.html">1) David Karnok’s Generations of Reactive classification</a></small></p>
                        <img src="images/reactor.png" class="plain" width="20%">
                    </section>
                    <section>
                        <h3>Composable reactive types</h3>
                        <h4>- Mono -</h4>
                        <p>An Asynchronous 0-1 Result</p>
                        <p>
                            <img src="images/mono.png" class="plain" width="120%">
                        </p>
                    </section>
                    <section>
                        <h3>Composable reactive types</h3>
                        <h4>- Flux -</h4>
                        <p>An Asynchronous Sequence of 0-N Items</p>
                        <p>
                            <img src="images/flux.png" class="plain" width="120%">
                        </p>
                    </section>
                    <section>
                        <h2>Imperative vs. Reactive</h2>
                        <h4>Imperative</h4>
                        <pre><code class="hljs java" data-trim>
                            String msg = "World";
                            String upperCaseMsg = msg.toUpperCase();
                            String greeting = "Hello " + upperCaseMsg + "!";
                            System.out.println(greeting);
                        </code></pre>
                        <h4>Reactive</h4>
                        <pre><code class="hljs java" data-trim>
                            Mono.just("World")
                                .map(String::toUpperCase)
                                .map(um -> "Hello " + um + "!")
                                .subscribe(System.out::println);
                        </code></pre>
                    </section>
                    <section>
                        <h2>Reactor Debug agent</h2>
                        <p>Debugging Reactive code can sometimes be challenging</p>
                        <p>
                            <a href="https://spring.io/blog/2019/03/28/reactor-debugging-experience">spring.io/blog/2019/03/28/reactor-debugging-experience</a>
                        </p>
                        <p>
                            <a href="https://projectreactor.io/docs/core/release/reference/#debugging">https://projectreactor.io/docs/core/release/reference/#debugging</a>
                        </p>
                    </section>
                    <section>
                        <h2>BlockHound</h2>
                        <p>Detect blocking code</p>
                        <p>
                            <a href="https://spring.io/blog/2019/03/28/reactor-debugging-experience">spring.io/blog/2019/03/28/reactor-debugging-experience</a>
                        </p>
                        <p>
                            <a href="https://github.com/reactor/BlockHound">https://github.com/reactor/BlockHound</a>
                        </p>
                    </section>
                    <section data-background="images/novatec_separator_back.png">
                        <h2 style="color: white">Let's try this...</h2>
                        <p style="color: white">intro-labs/reactive-playground</p>
                        <p>&nbsp;</p>
                        <p><a href="https://projectreactor.io/docs/core/release/reference">projectreactor.io/docs/core/release/reference</a></p>
                        <p><a href="https://projectreactor.io/docs/core/release/reference/#which-operator">projectreactor.io/docs/core/release/reference/#which-operator</a></p>
                    </section>
                </section>

                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h1 style="color: white">Spring WebFlux</h1>
                        <p>&mdash; <a href="https://spring.io/projects/spring-framework">spring.io/projects/spring-framework</a></p>
                    </section>
                    <section>
                        <h2>Servlet vs. Reactive Web Stack</h2>
                        <p>
                            <img src="images/servlet_reactive_stacks.png" class="plain">
                        </p>
                    </section>
                    <section>
                        <h2>Web Threading Model</h2>
                        <p>
                            <img src="images/choose_appropriate_threading_model.png" class="plain">
                        </p>
                    </section>
                    <section>
                        <h2>Reactive Data Stores</h2>
                        <p>
                            <img src="images/reactive_datastores.png" class="plain">
                        </p>
                    </section>
                    <section>
                        <h3>Reactive Relational Database Connectivity (R2DBC)</h3>
                        <ul>
                            <li>Reactive programming APIs for relational databases</li>
                            <li>JDBC: Blocking - R2DBC: Non-blocking reactive API</li>
                            <li>R2DBC drivers available for:</li>
                            <ul>
                                <li>Google Cloud Spanner</li>
                                <li>MySQL, MariaDB, PostgreSQL, H2</li>
                                <li>Microsoft SQL Server</li>
                            </ul>
                        </ul>
                        <p><small><a href="https://r2dbc.io/">https://r2dbc.io</a></small></p>
                    </section>
                    <section>
                        <h2>Reactive Spring Book</h2>
                        <h4>(Josh Long)</h4>
                        <p>&mdash; <a href="https://leanpub.com/reactive-spring">https://leanpub.com/reactive-spring</a></p>
                        <img src="images/reactive-spring-book.png" width="28%">
                    </section>
                </section>

                <!-- Why Security ? -->

                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h1 style="color: white">Security ?</h1>
                        <p style="color: white">&ldquo;From my experience all software developers are now security engineers wether they know it,
                            admit to it or do it [...]&rdquo;</p>
                        <p>&mdash; <a href="https://twitter.com/manicode/status/942965303310393344">Jim Manico on Twitter</a></p>
                    </section>
                    <section data-background="images/agile_security_attacks.svg" data-background-size="85%">
                    </section>
                    <section>
                        <iframe width="800" height="600" src="https://www.youtube.com/embed/M7qMP3C5bkU?start=919"
                                frameborder="0" allow="accelerometer; autoplay; encrypted-media; gyroscope; picture-in-picture"
                                allowfullscreen></iframe>
                    </section>
                    <section>
                        <p>&ldquo;If it's not secure, it's not guaranteed to be anything else either&rdquo;</p>
                        <img alt="maslow" src="images/software-quality-maslow.png" class="plain" width="55%">
                        <p><small><a href="https://gojko.net/2012/05/08/redefining-software-quality/">https://gojko.net/2012/05/08/redefining-software-quality/</a></small></p>
                    </section>
                    <section data-background="images/big_picture_security.png" data-background-size="80%">
                    </section>
                    <section>
                        <h4>OWASP Top 10 2017</h4>
                        <img alt="owasp top 10" src="images/owasp_top_10_2017_risks.png" width="85%">
                        <p><small><a href="https://www.owasp.org/index.php/Top_10-2017_Top_10">https://www.owasp.org/index.php/Top_10-2017_Top_10</a></small></p>
                    </section>
                    <section>
                        <p>Application Security Verification Standard</p>
                        <img src="images/asvs_sample.png" width="100%" class="plain">
                        <p><small><a href="https://github.com/OWASP/ASVS">https://github.com/OWASP/ASVS</a></small></p>
                    </section>
                </section>

                <!-- Spring Security -->

                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h1 style="color: white">Spring Security Basics</h1>
                        <p>&mdash; <a href="https://spring.io/projects/spring-security">spring.io/projects/spring-security</a></p>
                    </section>
                    <section>
                        <h2>Spring Security Overview</h2>
                        <p>
                            <img src="images/spring_security_overview.png" class="plain">
                        </p>
                    </section>
                    <section>
                        <h2>Spring Security 5</h2>
                        <ul>
                            <li>Authentication & Authorization</li>
                            <li>Password Encoding & Crypto (BCrypt, Argon2, ...)</li>
                            <li>Support for Servlet & Reactive Web Applications</li>
                            <li>Support for OAuth 2.0 & OpenID Connect 1.0</li>
                            <li>Authz Code (+ PKCE) & Client Credentials</li>
                            <li>Supports JWT and Opaque Tokens</li>
                            <li>Testing Support for Authentication/Authz/JWT</li>
                        </ul>
                    </section>
                    <section>
                        <h2>Spring Security 5</h2>
                        <h4>Secure By Default</h4>
                        <ul>
                            <li>Authentication required for all HTTP endpoints
                            <li>Default Validation for JWT
                            <li>Signature, Issuer, Expiration
                            <li>Includes Actuator (Monitoring) Endpoints</li>
                            <li>Except “health” and “info”</li>
                            <li>Session Fixation Protection</li>
                            <li>Session Cookie (HttpOnly, Secure)</li>
                            <li>CSRF Protection</li>
                            <li>Security Response Headers</li>
                        </ul>
                    </section>
                    <section data-background="images/novatec_separator_back.png">
                        <h2 style="color: white">Spring Security</h2>
                        <p>&nbsp;</p>
                        <h3 style="color: white">Servlet Web Stack</h3>
                    </section>
                    <section>
                        <h2>Security Dependencies</h2>
                        <h4>Servlet Web Stack</h4>
                        <pre><code class="hljs groovy" data-trim>
                            ...
                            implementation
                              'org.springframework.boot:spring-boot-starter-security'
                            implementation
                              'org.springframework.boot:spring-boot-starter-web'
                            ...
                        </code></pre>
                    </section>
                    <section>
                        <h2>Configuration</h2>
                        <h4>Servlet Web Stack</h4>
                        <pre><code class="hljs java" data-trim>
                            @Configuration
                            public class WebSecurityConfiguration
                                extends WebSecurityConfigurerAdapter {

                              @Override
                              protected void configure(HttpSecurity http)
                                                   throws Exception {
                                http.authorizeRequests()
                                        .anyRequest()
                                        .authenticated()
                                        .and()
                                        .httpBasic().and().formLogin();
                              }
                            }
                        </code></pre>
                    </section>
                    <section>
                        <h4>Authentication - Servlet Web Stack</h4>
                        <p>
                            <img src="images/spring_security_authentication.png" class="plain" width="82%">
                        </p>
                    </section>
                    <section data-background="images/novatec_separator_back.png">
                        <h2 style="color: white">Spring Security</h2>
                        <p>&nbsp;</p>
                        <h3 style="color: white">Reactive Web Stack</h3>
                    </section>
                    <section>
                        <h2>Security Dependencies</h2>
                        <h4>Reactive Web Stack</h4>
                        <pre><code class="hljs groovy" data-trim>
                            ...
                            implementation
                              'org.springframework.boot:spring-boot-starter-security'
                            implementation
                              'org.springframework.boot:spring-boot-starter-webflux'
                            ...
                        </code></pre>
                    </section>
                    <section>
                        <h2>Configuration</h2>
                        <h4>Reactive Web Stack</h4>
                        <pre><code class="hljs java" data-trim>
                            @Configuration
                            @EnableWebFluxSecurity
                            public class ReactiveWebSecurityConfiguration {

                              @Bean
                              SecurityWebFilterChain
                                    securityWebFilterChain(ServerHttpSecurity http) {
                                return http.authorizeExchange()
                                        .anyExchange()
                                        .authenticated()
                                        .and()
                                        .httpBasic().and().formLogin().and().build();
                              }
                            }
                        </code></pre>
                    </section>
                    <section>
                        <h4>Authentication - Reactive Web Stack</h4>
                        <p>
                            <img src="images/spring_security_authentication_reactive.png" class="plain">
                        </p>
                    </section>
                </section>

                <!-- hands-On Workshop -->

                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h1 style="color: white">Spring Security</h1>
                        <h3 style="color: white">Hands-On</h3>
                    </section>
                    <section>
                        <h2>Hands-On application</h2>
                        <h4>An online book library</h4>
                        <ul>
                            <li>Administer books</li>
                            <li>List available books</li>
                            <li>Borrow an available book</li>
                            <li>Return a borrowed book</li>
                            <li>Administer library users</li>
                        </ul>
                    </section>
                    <section>
                        <h3>Library Service</h3>
                        <img src="images/workshop_lab_1.png" class="plain">
                    </section>
                    <section>
                        <h3>Library Service Architecture</h3>
                        <img src="images/workshop_lab_2.png" class="plain">
                    </section>
                    <section>
                        <h3>Library Service API Docs</h3>
                        <img src="images/library_app_api.png" class="plain">
                        <p><small><a href="https://andifalk.github.io/reactive-spring-security-5-workshop/api-doc.html">https://andifalk.github.io/reactive-spring-security-5-workshop/api-doc.html</a></small></p>
                    </section>
                    <section>
                        <h1>Workshop Steps</h1>
                        <ul>
                            <li>Lab 1: Authentication (Auto Configuration)</li>
                            <li>Lab 2: Customized Authentication</li>
                            <li>Lab 3: Authorization</li>
                            <li>Lab 4: Automated Security Tests</li>
                        </ul>
                    </section>
                    <section>
                        <h3>Lab 1: Authentication</h3>
                        <h4>(Auto Configuration)</h4>
                        <img src="images/workshop_lab_3.png" class="plain">
                        <p><small><a href="https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html">Online Tutorial: Lab 1</a></small></p>
                    </section>
                    <section>
                        <h3>Lab 2: Authentication</h3>
                        <h4>(Customized)</h4>
                        <img src="images/workshop_lab_4.png" class="plain">
                        <p><small><a href="https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html">Online Tutorial: Lab 2</a></small></p>
                    </section>
                    <section>
                        <h3>Lab 3: Authorization</h3>
                        <img src="images/workshop_lab_5.png" class="plain">
                        <p><small><a href="https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html">Online Tutorial: Lab 3</a></small></p>
                    </section>
                    <section>
                        <h3>Lab 4: Automated Security Tests</h3>
                        <img src="images/workshop_lab_6.png" class="plain">
                        <p><small><a href="https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html">Online Tutorial: Lab 4</a></small></p>
                    </section>
                    <section data-background="images/novatec_separator_back.png">
                        <h2 style="color: white">Let's start...</h2>
                    </section>
                    <section>
                        <h2>Requirements</h2>
                        <p>Internet Access</p>
                        <p>Java JDK version 8 or 11</p>
                        <p>A Java IDE (Eclipse, STS, IntelliJ, VS Code, NetBeans, ...)</p>
                    </section>
                    <section>
                        <h2>Workshop Code</h2>
                        <p>Get via <em>git clone</em> or download as zip file:</p>
                        <p><a href="https://github.com/andifalk/reactive-spring-security-5-workshop">https://github.com/andifalk/reactive-spring-security-5-workshop</a></p>
                    </section>
                    <section>
                        <h2>Workshop Tutorial</h2>
                        <p><a href="https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html">https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html</a></p>
                        <p><a href="https://github.com/andifalk/reactive-spring-security-5-workshop/raw/master/docs/workshop-tutorial.pdf">https://github.com/andifalk/reactive-spring-security-5-workshop/raw/master/docs/workshop-tutorial.pdf</a></p>
                    </section>
                </section>

                <section>
                    <section data-background="images/novatec_agenda_back.png">
                        <div style="text-align: left; margin-left: -2em; margin-top: 2em">
                            <h3>Part 2</h3>
                            <ol>
                                <li>Introduction into OAuth 2</li>
                                <li>Introduction into OpenID Connect</li>
                                <li>Spring Security OAuth2/OIDC (Hands-On)</li>
                                <ul>
                                    <li>Authorization Code Flow Demo</li>
                                    <li>Resource Server</li>
                                    <li>OIDC Client</li>
                                </ul>
                            </ol>
                        </div>
                    </section>
                    <section data-background="images/novatec_separator_back.png">
                        <h2 style="color: white">In the meantime...</h2>
                        <p>&nbsp;</p>
                        <p>Make sure your Keycloak instance is set up and running</p>
                    </section>
                </section>

                <!-- Introduction into OAuth 2.0 and OpenID Connect 1.0 -->
                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h1 style="color: white">OAuth 2.0</h1>
                        <h2 style="color: white">101</h2>
                        <p>
                            <small>
                                <a href="https://tools.ietf.org/html/rfc6749">RFC 6749: The OAuth 2.0 Authorization Framework</a><br>
                                <a href="https://tools.ietf.org/html/rfc6750">RFC 6750: OAuth 2.0 Bearer Token Usage</a><br>
                                <a href="https://tools.ietf.org/html/rfc6819">RFC 6819: OAuth 2.0 Threat Model and Security Considerations</a>
                            </small>
                        </p>
                    </section>
                    <section>
                        <h2>What is OAuth 2.0?</h2>
                        <p>
                            OAuth 2.0 is an authorization delegation framework<br>
                        </p>
                        <img src="images/Valet_Ferrari.png" class="plain" width="70%">
                    </section>
                    <section>
                        <h3>OAuth 2.0 Model</h3>
                        <img src="images/oauth2_protocol.png" class="plain">
                    </section>
                    <section>
                        <h3>OAuth 2.0 Grant Flows</h3>
                        <table style="font-size: smaller">
                            <thead>
                            <tr>
                                <th>Client Type</th>
                                <th>Flow</th>
                                <th>Refresh Tokens</th>
                            </tr>
                            </thead>
                            <tbody>
                            <tr>
                                <td>Confidential</td>
                                <td>Authorization Code</td>
                                <td>X</td>
                            </tr>
                            <tr>
                                <td>Public (Native)</td>
                                <td>Authorization Code (PKCE)</td>
                                <td>X</td>
                            </tr>
                            <tr>
                                <td>Public (SPA)</td>
                                <td>Implicit</td>
                                <td>--</td>
                            </tr>
                            <tr>
                                <td>Trusted</td>
                                <td>RO Password Creds</td>
                                <td>X</td>
                            </tr>
                            <tr>
                                <td>No Resource Owner</td>
                                <td>Client Credentials</td>
                                <td>--</td>
                            </tr>
                            </tbody>
                        </table>
                    </section>
                    <section>
                        <h4>Authorization Code Grant Flow</h4>
                        <img src="images/authorization_code_schema.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_1.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_2.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_3.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_4.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_5.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_6.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_7.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_8.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_9.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_10.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_11.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_12.png" class="plain" width="100%">
                    </section>
                    <section data-transition="none">
                        <h4>Authorization code grant flow</h4>
                        <img src="images/authorization_code_13.png" class="plain" width="100%">
                    </section>
                    <section data-background="images/novatec_separator_back.png">
                        <h4 style="color: white">We'll see</h4>
                        <h3 style="color: white">Authorization Code Grant Flow</h3>
                        <p style="color: white">in action as part of <a href="https://github.com/andifalk/https://andifalk.github.io/reactive-spring-security-5-workshop/tree/master/intro-labs/auth-code-demo">Intro Lab</a></p>
                    </section>
                    <section>
                        <h4>Implicit Flow Attacks</h4>
                        <img class="plain" src="images/oauth_implicit_grant_attacks_d_fett.png" width="100%">
                        <br><small>Source: Torsten Lodderstedt and Daniel Fett</small>
                        <p><small><a href="https://tools.ietf.org/html/draft-ietf-oauth-security-topics">OAuth 2.0 Security Best Current Practice</a></small></p>
                    </section>
                    <section>
                        <h3>&ldquo;OAuth 2.1&rdquo; Grant Flows</h3>
                        <table style="font-size: smaller">
                            <thead>
                            <tr>
                                <th>Client Type</th>
                                <th>Flow</th>
                                <th>Refresh Tokens</th>
                            </tr>
                            </thead>
                            <tbody>
                            <tr>
                                <td>Confidential</td>
                                <td style="font-weight: bold">Authorization Code (PKCE)</td>
                                <td>X</td>
                            </tr>
                            <tr>
                                <td>Public (Native)</td>
                                <td>Authorization Code (PKCE)</td>
                                <td>X</td>
                            </tr>
                            <tr>
                                <td>Public (SPA)</td>
                                <td style="font-weight: bold">Authorization Code (PKCE)</td>
                                <td>--</td>
                            </tr>
                            <tr style="text-decoration: line-through;">
                                <td>Trusted</td>
                                <td>RO Password Creds</td>
                                <td>X</td>
                            </tr>
                            <tr>
                                <td>No Resource Owner</td>
                                <td>Client Credentials</td>
                                <td>--</td>
                            </tr>
                            </tbody>
                        </table>
                    </section>
                    <section>
                        <h2>Proof Key for Code Exchange by OAuth Public Clients (PKCE)</h2>
                        <p>(&ldquo;Pixy&rdquo;)</p>
                        <p>Mitigates authorization code attacks</p>
                        <p>Mitigates token leakage in SPAs</p>
                        <p>
                            <small>
                                <a href="https://tools.ietf.org/html/rfc7636">Proof Key for Code Exchange by OAuth Public Clients</a>
                            </small>
                        </p>
                    </section>
                    <section>
                        <h4>PKCE - Authorization Request</h4>
                        <p style="text-align: left">GET https://authserver.example.com/authorize</p>
                        <p style="text-align: left; margin-left: 100px;">?response_type=code</p>
                        <p style="text-align: left; margin-left: 100px;">&client_id=abcdefg</p>
                        <p style="text-align: left; margin-left: 100px;">&redirect_uri=https://client.abc.com/callback</p>
                        <p style="text-align: left; margin-left: 100px;">&scope=api.read api.write</p>
                        <p style="text-align: left; margin-left: 100px;">&state=xyz</p>
                        <p style="text-align: left; margin-left: 100px; color: red;">&code_challenge=xyz...</p>
                        <p style="text-align: left; margin-left: 100px; color: red;">&code_challenge_method=S256</p>
                    </section>
                    <section>
                        <h4>PKCE - Token Request</h4>
                        <p style="text-align: left">POST https://authserver.example.com/token</p>
                        <p style="text-align: left; margin-left: 60px;">Content-Type: <br>application/x-www-form-urlencoded</p>
                        <p style="text-align: left; margin-left: 60px;">grant_type=authorization_code&code=ab23bhW56Xb</p>
                        <p style="text-align: left; margin-left: 60px;">&redirect_uri=https://client.abc.com/callback</p>
                        <p style="text-align: left; margin-left: 60px;">&client_id=123&client_secret=456</p>
                        <p style="text-align: left; margin-left: 60px; color: red;">&code_verifier=4gth4jn78k_8</p>
                    </section>
                </section>

                <!-- OpenID Connect 1.0 -->
                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h2 style="color: white">OpenID Connect 1.0</h2>
                        <h2 style="color: white">101</h2>
                        <small>
                            <p>
                                <a href="https://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect Core 1.0</a><br>
                                <a href="https://openid.net/specs/openid-connect-registration-1_0.html">OpenID Connect Dynamic Client Registration 1.0</a><br>
                                <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
                            </p>
                        </small>
                    </section>
                    <section>
                        <h3>OpenID Connect 1.0 is for Authentication</h3>
                        <img src="images/manico_tweet_oauth2_not_authentication.png" class="plain" width="100%">
                        <p>
                            <small>
                                <a href="https://oauth.net/articles/authentication/">OAuth 2.0 is not an authentication protocol</a>
                            </small>
                        </p>
                    </section>
                    <section>
                        <h3>OIDC additions to OAuth 2.0</h3>
                        <ul>
                            <li>ID Token</li>
                            <li>User Info Endpoint</li>
                            <li>OpenID Provider Discovery</li>
                        </ul>
                    </section>
                    <section>
                        <h3>ID Token</h3>
                        <h4>JSON Web token (JWT)</h4>
                        <p>Base 64 Encoded JSON Formatted Value of...</p>
                        <p class="fragment">...Header</p>
                        <p class="fragment">...Payload</p>
                        <p class="fragment">...Signature</p>
                        <pre><code class="http" data-trim>
                            GET / HTTP/1.1
                            Host: localhost:8080
                            Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGciOiJSUzI1N...
                        </code></pre>
                        <small>
                            <ul>
                                <li><a href="https://tools.ietf.org/html/rfc7519">RFC 7519: JSON Web Token (JWT)</a></li>
                                <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp">JSON Web Token Best Current Practices</a></li>
                                <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-proof-of-possession">Proof-of-Possession Key Semantics for JSON Web Tokens (JWTs)</a></li>
                            </ul>
                        </small>
                    </section>
                    <section>
                        <h3>JSON Web Token (JWT)</h3>
                        <p>Header</p>
                        <pre><code class="json" data-trim>
                            {
                              typ: "JWT",
                              alg: "RS256"
                            }
                        </code></pre>
                        <p>Payload</p>
                        <pre><code class="json" data-trim>
                            {
                              iss: "https://identity.example.com",
                              aud: "my-client-id",
                              exp: 1495782385,
                              nonce: "N0.46824857243233511495739124749",
                              iat: 1495739185,
                              at_hash: "hC1NDSB8WZ9SnjXTid175A",
                              sub: "mysubject",
                              auth_time: 1495739185,
                              email: "test@gmail.com"
                            }
                        </code></pre>
                    </section>
                    <section>
                        <h2>ID Token Claims</h2>
                        <table style="font-size: smaller">
                            <thead>
                            <tr>
                                <th>Scope</th>
                                <th>Required</th>
                                <th>Description</th>
                            </tr>
                            </thead>
                            <tbody>
                            <tr>
                                <td>iss</td>
                                <td>X</td>
                                <td>Issuer Identifier</td>
                            </tr>
                            <tr>
                                <td>sub</td>
                                <td>X</td>
                                <td>Subject Identifier</td>
                            </tr>
                            <tr>
                                <td>aud</td>
                                <td>X</td>
                                <td>Audience(s) of this ID Token</td>
                            </tr>
                            <tr>
                                <td>exp</td>
                                <td>X</td>
                                <td>Expiration time</td>
                            </tr>
                            <tr>
                                <td>iat</td>
                                <td>X</td>
                                <td>Time at which the JWT was issued</td>
                            </tr>
                            <tr>
                                <td>auth_time</td>
                                <td>(X)</td>
                                <td>Time of End-User authentication</td>
                            </tr>
                            <tr>
                                <td>nonce</td>
                                <td>--</td>
                                <td>Associate a client with an ID Token</td>
                            </tr>
                            </tbody>
                        </table>
                    </section>
                    <section>
                        <h3>Access Tokens in OIDC</h3>
                        <p>Format and content still not standardized</p>
                        <p>But...</p>
                    </section>
                    <section>
                        <h3>OAuth 2 Access Token JWT Profile</h3>
                        <p>Required claims: iss, exp, aud, sub, client_id</p>
                        <p>Consider privacy restrictions for identity claims</p>
                        <p>Authorization claims according to SCIM Core (RFC7643):</p>
                        <ul>
                            <li>Groups</li>
                            <li>Entitlements</li>
                            <li>Roles</li>
                        </ul>
                        <p>
                            <small>
                                <a href="https://tools.ietf.org/pdf/rfc7643.pdf">System for Cross-domain Identity Management (SCIM)</a><br>
                                <a href="https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt">JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens</a>
                            </small>
                        </p>
                    </section>
                    <section>
                        <h2>Token Validation</h2>
                        <p>
                            <img src="images/token_validation.png" class="plain">
                        </p>
                    </section>
                    <section>
                        <h2>User Info Endpoint</h2>
                        <pre><code class="http" data-trim>
                            GET /userinfo HTTP/1.1
                            Host: identityserver.example.com
                            Authorization: Bearer SlAV32hkKG
                        </code></pre>
                        <pre><code class="http" data-trim>
                            HTTP/1.1 200 OK
                            Content-Type: application/json

                            {
                             "sub": "248289761001",
                             "name": "Jane Doe",
                             "given_name": "Jane",
                             "family_name": "Doe",
                             "preferred_username": "j.doe",
                             "email": "janedoe@example.com",
                             "picture": "http://example.com/janedoe/me.jpg"
                            }
                        </code></pre>
                    </section>
                    <section>
                        <h4>OpenID Connect 1.0 Configuration</h4>
                        <p>https://idp.example.com/.well-known/openid-configuration</p>
                        <pre><code class="json" data-trim>
                            {
                              "authorization_endpoint": "https://idp.example.com/auth",
                              "grant_types_supported": [
                                  "authorization_code",
                                  "implicit",
                                  "refresh_token"
                              ],
                              "issuer": "https://idp.example.com",
                              "jwks_uri": "https://idp.example.com/keys",
                              "token_endpoint": "https://idp.example.com/token",
                              "userinfo_endpoint": "https://idp.example.com/userinfo",
                              ...
                            }
                        </code></pre>
                        <p>
                            <small>
                                <a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a>
                            </small>
                        </p>
                    </section>
                </section>

                <!-- OIDC Workshop -->

                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h2 style="color: white">Hands-On Part</h2>
                        <h3 style="color: white">OAuth 2.0 & OpenID Connect 1.0</h3>
                        <h3 style="color: white">With Spring Security 5</h3>
                    </section>
                    <section>
                        <h2>&ldquo;Legacy&rdquo; Spring Security OAuth2 Stack</h2>
                        <img src="images/spring_security_old.png" class="plain">
                    </section>
                    <section>
                        <h2>&ldquo;New&rdquo; Spring Security 5<br> OAuth2/OIDC Stack</h2>
                        <img src="images/spring_security_new.png" class="plain">
                    </section>
                    <section>
                        <h2>&ldquo;New&rdquo; Spring Security 5<br> OAuth2/OIDC Stack</h2>
                        <img class="plain" src="images/spring_security_new.png">
                        <h4 style="color: red">We will use THIS stack !!!</h4>
                    </section>
                    <section data-background="images/novatec_separator_back.png">
                        <h2 style="color: white">Let's Code!!</h2>
                        <p>&nbsp;</p>
                        <p>&nbsp;</p>
                        <p>&nbsp;</p>
                        <p style="color: white">Make sure you have setup and started keycloak</p>
                        <p style="color: white">THEN</p>
                        <p style="color: white">Try the intro lab for Auth Code Demo</p>
                        <p style="color: white">and follow instructions for Labs 5 & 6 in the<br> <a href="https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html">online tutorial</a></p>
                    </section>
                    <section>
                        <h3>Starting Keycloak</h3>
                        <p>
                        ...on Linux/Mac OS
                        <pre><code class="hljs" data-trim>
                            [keycloak_install_dir]/bin/standalone.sh
                        </code></pre>
                        ...on Windows
                        <pre><code class="hljs" data-trim>
                            [keycloak_install_dir]\bin\standalone.bat
                        </code></pre>
                        </p>
                    </section>
                    <section>
                        <h2>Hands-On Labs</h2>
                        <ul>
                            <li>Intro-Lab: Authorization Code Flow Demo</li>
                            <li>Lab 5: OAuth2/OIDC Resource Server</li>
                            <li>Lab 6: OAuth2/OIDC Client (Auth Code Flow)</li>
                        </ul>
                        <p style="color: darkblue">Please follow <a href="https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html">online tutorial</a> in GitHub Repo</p>
                    </section>
                    <section>
                        <h2>Intro-Lab</h2>
                        <h3>Authorization Code Grant Flow</h3>
                        <h3>In Action</h3>
                        <p>See <a href="https://github.com/andifalk/https://andifalk.github.io/reactive-spring-security-5-workshop/tree/master/intro-labs/auth-code-demo">intro-labs/auth-code-demo</a> for instructions</p>
                    </section>
                    <section>
                        <h4>Labs 5 & 6: Resource Server and Client</h4>
                        <img src="images/workshop_lab_7.png" class="plain">
                        <p><small><a href="https://andifalk.github.io/reactive-spring-security-5-workshop/workshop-tutorial.html">Online Tutorial: Labs 5 & 6</a></small></p>
                    </section>
                    <section>
                        <h2>Hands-On client & server</h2>
                        <img class="plain" src="images/demo-architecture.png" width="100%">
                    </section>
                </section>

                <!-- What is new in Spring Security -->

                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h2 style="color: white">What's new in</h2>
                        <h2 style="color: white">Spring Security</h2>
                        <h2 style="color: white">5.2 & 5.3</h2>
                    </section>
                    <section>
                        <h2>Spring Security 5.2 (08/2019)</h2>
                        <ul>
                            <li><a href="https://github.com/spring-projects/spring-security/issues/6446">Client Support for PKCE</a></li>
                            <li><a href="https://github.com/spring-projects/spring-security/issues/5350">OpenID Connect RP-Initiated Logout</a></li>
                            <li><a href="https://github.com/spring-projects/spring-security/issues/5200">Support for OAuth 2.0 Token Introspection</a></li>
                            <li><a href="https://github.com/spring-projects/spring-security/issues/5351">Resource Server Multi-tenancy (Servlet & Reactive)</a></li>
                            <li><a href="https://github.com/spring-projects/spring-security/issues/5465">Use symmetric keys with JwtDecoder</a></li>
                            <li><a href="https://github.com/spring-projects/spring-security/issues/6634">JWT Flow API in Test Support</a></li>
                        </ul>
                        <p>
                            <small>
                                <a href="https://github.com/spring-projects/spring-security/milestone/132">Spring Security 5.2.0 M2 GitHub Issues</a><br>
                                <a href="https://github.com/spring-projects/spring-security/milestone/141">Spring Security 5.2.0 M3 GitHub Issues</a><br>
                                <a href="https://github.com/spring-projects/spring-security/milestone/142">Spring Security 5.2.0 RC1 GitHub Issues</a><br>
                            </small>
                        </p>
                    </section>
                    <section>
                        <h3>OAuth 2.0 Token Introspection</h3>
                        <p>Opaque Tokens</p>
                        <pre><code class="java" data-trim>
                            class ResSrvConfig extends WebSecurityConfigurerAdapter {

                                @Override
                                protected void configure(HttpSecurity http)
                                        throws Exception {
                                    http.oauth2ResourceServer()
                                            .opaqueToken()
                                                .introspectionUri(this.introspectionUri)
                                                .introspectionClientCredentials(
                                                    this.clientId, this.clientSecret);
                                }
                            }
                        </code></pre>
                        <small>
                            <a href="https://github.com/spring-projects/spring-security/issues/5200">https://github.com/spring-projects/spring-security/issues/5200</a>
                        </small>
                    </section>
                    <section>
                        <h3>Resource Server Multi-tenancy</h3>
                        <pre><code class="java" data-trim>
                            class ResSrvConfig extends WebSecurityConfigurerAdapter {

                                @Override protected void configure(HttpSecurity http) {
                                    http.oauth2ResourceServer()
                                        .authenticationManagerResolver(
                                            multitenantAuthenticationManager());
                                }

                                @Bean AuthenticationManagerResolver&lt;HttpServletRequest&gt;
                                    multiTenantAuthMgr() {...}

                                AuthenticationManager jwt() {...}
                                AuthenticationManager opaque() {...}
                            }
                        </code></pre>
                        <small>
                            <a href="https://github.com/spring-projects/spring-security/issues/5351">https://github.com/spring-projects/spring-security/issues/5351</a><br>
                            <a href="https://github.com/spring-projects/spring-security/issues/6727">https://github.com/spring-projects/spring-security/issues/6727</a>
                        </small>
                    </section>
                    <section>
                        <h4>Use symmetric keys with JwtDecoder</h4>
                        <pre><code class="java" data-trim>
                            class ResSrvConfig extends WebSecurityConfigurerAdapter {

                              @Value("${spring.security.oauth2.resourceserver.
                                            jwt.key-value}") RSAPublicKey key;

                              @Override protected void configure(HttpSecurity http) {
                                http.oauth2ResourceServer().jwt().decoder(jwtDecoder());
                              }

                              @Bean JwtDecoder jwtDecoder() throws Exception {
                                  return NimbusJwtDecoder.
                                          withPublicKey(this.key).build();
                              }
                            }
                        </code></pre>
                        <small>
                            <a href="https://github.com/spring-projects/spring-security/issues/5465">https://github.com/spring-projects/spring-security/issues/5465</a>
                        </small>
                    </section>
                    <section>
                        <h4>JWT Flow API in Test Support</h4>
                        <pre><code class="java" data-trim>
                            public class OAuth2ResourceServerTest {

                                @Test
                                public void testRequestPostProcessor() {
                                  mockMvc.perform(get("/message")
                                  .with(mockAccessToken().scope("message:read")))
                                  .andExpect(status().isOk())

                                  mockMvc.perform(get("/")
                                  .with(jwt().claim(SUB, "the-subject")))
                                  .andExpect(status().isOk())
                                }
                            }
                        </code></pre>
                        <small>
                            <a href="https://github.com/spring-projects/spring-security/issues/6634">https://github.com/spring-projects/spring-security/issues/6634</a>
                        </small>
                    </section>
                    <section>
                        <h2>Spring Security 5.3</h2>
                        <p><a href="https://github.com/spring-projects/spring-security/issues/6320">Support OAuth 2.0 Authorization Server:</a></p>
                        <ul>
                            <li>OAuth 2.0 Authorization Code Grant</li>
                            <li>OpenID Connect 1.0 (Authorization Code Flow)</li>
                            <li>PKCE</li>
                            <li>OAuth 2.0 Client Credentials Grant</li>
                            <li>JWT Access Token format</li>
                            <li>JWK Set Endpoint</li>
                            <li>Opaque Access Token format</li>
                            <li>OAuth 2.0 Token Revocation</li>
                        </ul>
                        <p><small><a href="https://github.com/spring-projects/spring-security/milestone/136">Spring Security 5.3.0 GitHub Issues</a></small></p>
                    </section>
                </section>

                <!-- The End -->
                <section>
                    <section data-background="images/novatec_title_back.png">
                        <h2 style="color: white">Summary & References</h2>
                    </section>
                    <section>
                        <h2>Book References</h2>
                        <img src="images/iron-glad-java.jpg" class="plain" width="24%">
                        <img src="images/devops-handbook.jpg" class="plain" width="20%">
                        <img src="images/oauth2_in_action.jpg" class="plain" width="24%">
                        <img src="images/agile-security-book.jpg" class="plain" width="24%">
                    </section>
                    <section>
                        <h2>Online References</h2>
                        <small>
                            <ul>
                                <li><a href="https://tools.ietf.org/html/rfc6749">RFC 6749: The OAuth 2.0 Authorization Framework</a></li>
                                <li><a href="https://tools.ietf.org/html/rfc6750">RFC 6750: OAuth 2.0 Bearer Token Usage</a></li>
                                <li><a href="https://tools.ietf.org/html/rfc6819">RFC 6819: OAuth 2.0 Threat Model and Security Considerations</a></li>
                                <li><a href="http://tools.ietf.org/html/rfc7636">RFC 7636: Proof Key for Code Exchange (&ldquo;Pixy&rdquo;)</a></li>
                                <li><a href="https://openid.net/specs/openid-connect-core-1_0.html">OpenID Connect Core 1.0</a></li>
                                <li><a href="https://openid.net/specs/openid-connect-registration-1_0.html">OpenID Connect Dynamic Client Registration 1.0</a></li>
                                <li><a href="https://openid.net/specs/openid-connect-discovery-1_0.html">OpenID Connect Discovery 1.0</a></li>
                                <li><a href="https://tools.ietf.org/html/rfc7519">RFC 7519: JSON Web Token (JWT)</a></li>
                                <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-jwt-bcp">JSON Web Token Best Current Practices</a></li>
                                <li><a href="https://sec.uni-stuttgart.de/events/osw2019">4. OAuth Security Workshop 2019 event web page</a></li>
                                <li><a href="https://medium.com/oauth-2/why-you-should-stop-using-the-oauth-implicit-grant-2436ced1c926">Why you should stop using the OAuth implicit grant</a></li>
                                <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-security-topics">OAuth 2.0 Security Best Current Practice</a></li>
                                <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-browser-based-apps-01">OAuth 2.0 for Browser-Based Apps</a></li>
                                <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-mtls">OAuth 2.0 Mutual TLS Client Authentication and Certificate-Bound Access Tokens</a></li>
                                <li><a href="https://tools.ietf.org/html/draft-ietf-oauth-access-token-jwt">JSON Web Token (JWT) Profile for OAuth 2.0 Access Tokens</a></li>
                                <li><a href="https://spring.io/projects/spring-security">Spring Security</a></li>
                            </ul>
                            <p>All images used are from <a href="https://pixabay.com/">Pixabay</a> and are published under <a href="http://creativecommons.org/publicdomain/zero/1.0/deed.en">Creative Commons CC0 license.</a></p>
                            All used logos are trademarks of respective companies
                        </small>
                    </section>
                    <section data-background="images/novatec_trainings.png">
                    </section>
                    <section data-background="images/novatec_final_back.png">
                        <div style="text-align: left; margin-left: -2em; margin-top: -2em">
                        <h4 style="color: white">Andreas Falk / @andifalk</h4>
                        <p style="color: white">
                        Novatec Consulting GmbH<br>
                        Dieselstraße 18/1<br>
                        D-70771 Leinfelden-Echterdingen<br>
                        andreas.falk@novatec-gmbh.de
                        </p>
                        <a href="https://www.novatec-gmbh.de">https://www.novatec-gmbh.de</a>
                        </div>
                    </section>
                </section>
			</div>
		</div>

		<script src="js/reveal.js"></script>

		<script>
			// More info about config & dependencies:
			// - https://github.com/hakimel/reveal.js#configuration
			// - https://github.com/hakimel/reveal.js#dependencies
			Reveal.initialize({
                hash: true,
                fragmentInURL: false,
                dependencies: [
					{ src: 'plugin/markdown/marked.js' },
					{ src: 'plugin/markdown/markdown.js' },
                    { src: 'plugin/print-pdf/print-pdf.js' },
                    { src: 'plugin/zoom-js/zoom.js', async: true },
                    { src: 'plugin/notes/notes.js', async: true },
                    { src: 'plugin/tagcloud/tagcloud.js', async: true },
                    { src: 'plugin/elapsed-time-bar/elapsed-time-bar.js'},
					{ src: 'plugin/highlight/highlight.js', async: true }
				]
			});
            Reveal.configure({
                slideNumber: 'c/t',
                pdfMaxPagesPerSlide: 1
            });
		</script>
	</body>
</html>
